https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-match-MQTT-Protocol-and-an-AWS-site/m-p/85333#M80195 If this is not for HTTP/HTTPS traffic, a custom application/site as you've created won't work.<BR />Instead, create an FQDN Domain object which resolves based on forward DNS and use a simple TCP service to allow the relevant traffic.<BR /> Thu, 14 May 2020 19:43:00 GMT PhoneBoy 2020-05-14T19:43:00Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-match-MQTT-Protocol-and-an-AWS-site/m-p/85087#M80192 <P>We're trying to allow traffic to a specific AWS site, which unfortunately resolves to several IP addresses and none of which we can control therefore they are dynamic. Initially, we tried creating a Custom Application/Site for this, but that appears to want to match on Web Service traffic. So then we added port 1883 to the "Web Services" that Application Control blade uses. It still isn't matching on our rule which is a source being internal networks, destination is Any, and Services and Applications is this custom app. I'm guessing that won't work as this really isn't "web" traffic in the sense it is not http or https but on a non-standard port.</P><P>&nbsp;</P><P>I see Checkpoint has an application for MQTT Protocol, but I don't know if I want to allow that protocol for Every destination. Is there a way to do this without having to use Dynamic Domain objects in the destination? That is, I want to define an application that goes to specific URL names but the protocol (port) needs to match the MQTT Protocol.</P> Wed, 13 May 2020 16:14:26 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-match-MQTT-Protocol-and-an-AWS-site/m-p/85087#M80192 Trevor_Bruss 2020-05-13T16:14:26Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-match-MQTT-Protocol-and-an-AWS-site/m-p/85319#M80193 Screenshots of what you did?<BR />Does the URL in question contain the port? Thu, 14 May 2020 18:02:25 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-match-MQTT-Protocol-and-an-AWS-site/m-p/85319#M80193 PhoneBoy 2020-05-14T18:02:25Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-match-MQTT-Protocol-and-an-AWS-site/m-p/85329#M80194 <P>Here is an example of the test we can run to determine connectivity.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Test-AWS.PNG" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/6085i3766F1171CB6C6EA/image-size/medium?v=v2&amp;px=400" role="button" title="Test-AWS.PNG" alt="Test-AWS.PNG" /></span></P><P>Here is the rule:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Allow-rule.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/6083i6605BB2ED0A5DE94/image-size/large?v=v2&amp;px=999" role="button" title="Allow-rule.png" alt="Allow-rule.png" /></span></P><P>Source is our internal network. And this is what we have for this specific application defined inside of the Everybody_Allowed application group.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fleet.PNG" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/6084i31E2FD1361E9CB7B/image-size/large?v=v2&amp;px=999" role="button" title="Fleet.PNG" alt="Fleet.PNG" /></span></P><P>&nbsp;</P><P>I tried multiple things, first of which was to add a service defined for TCP-8883 to the Web Browsing services in the Application Contol and URL Filtering advanced settings. That didn't appear to help. I couldn't find an application for MQTT over TLS but I did see one for MQTT (port 1883) with an application signature. I tried to clone that and specify a different port, but that didn't work likely because it wasn't matching the original application signature.</P><P>&nbsp;</P><P>As this is not normal HTTP/s traffic but is a separate protocol for IoT devices wrapped in a TLS connection (at least that is my understanding of how you can secure MQTT). I wasn't sure if I could define this in a custom application as I've seen other people post on defining an app that doesn't use the default Web Services. Are you suggesting I try adding the port 8889 to the end of the AWS URL in my URL list?</P><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><P>I'm trying to determine how to open all the IPs behind this first AWS Iot URL in the list above, but without having to use some form of dynamic name which requires a reverse lookup. I also don't want to just open the port 8883 to all destinations, which I know will work but seems like the brute method.</P><P>&nbsp;</P> Thu, 14 May 2020 18:45:53 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-match-MQTT-Protocol-and-an-AWS-site/m-p/85329#M80194 Trevor_Bruss 2020-05-14T18:45:53Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-match-MQTT-Protocol-and-an-AWS-site/m-p/85333#M80195 If this is not for HTTP/HTTPS traffic, a custom application/site as you've created won't work.<BR />Instead, create an FQDN Domain object which resolves based on forward DNS and use a simple TCP service to allow the relevant traffic.<BR /> Thu, 14 May 2020 19:43:00 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-match-MQTT-Protocol-and-an-AWS-site/m-p/85333#M80195 PhoneBoy 2020-05-14T19:43:00Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-match-MQTT-Protocol-and-an-AWS-site/m-p/85334#M80196 <P>Are there any concerns with using an FQDN Domain object as there were in the past with it consuming resources? I thought every time it gets to the rule it needs to do a DNS lookup? We're running R80.20SP on our gateways.</P> Thu, 14 May 2020 19:47:53 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-match-MQTT-Protocol-and-an-AWS-site/m-p/85334#M80196 Trevor_Bruss 2020-05-14T19:47:53Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-match-MQTT-Protocol-and-an-AWS-site/m-p/85335#M80197 The main problem in the past was the lack of SecureXL acceleration for Domain objects.<BR />This has been resolved since R80.10.<BR />There will be some additional lookups from the gateways but beyond that, not aware of any specific performance issues. Thu, 14 May 2020 19:51:59 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-match-MQTT-Protocol-and-an-AWS-site/m-p/85335#M80197 PhoneBoy 2020-05-14T19:51:59Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-match-MQTT-Protocol-and-an-AWS-site/m-p/182085#M80198 <P>Hi Trevor_Bruss,</P><P>&nbsp;</P><P>I am trying to assist a customer who wants to limit&nbsp; particular string being published via MQTT protocol.</P><P>That string has the test "cloud" in it .&nbsp;</P><P>&nbsp;</P><P>I have tried the attached:</P><P>&nbsp;</P><P>But doesnt seem to block anything.</P><P>&nbsp;</P><P>Not sure if anyone knows how I could achieve this ?</P><P>&nbsp;</P><P>Maybe via IPS or something ?</P><P>Let me know</P><P>Thanks</P><P>&nbsp;</P><DIV class="">&nbsp;</DIV><P>&nbsp;</P><P>&nbsp;</P><DIV class="">&nbsp;</DIV><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 25 May 2023 09:31:33 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-match-MQTT-Protocol-and-an-AWS-site/m-p/182085#M80198 Darren_Fine 2023-05-25T09:31:33Z